CVE-2022-37616
CRITICALxmldom < 0.8.3 - Prototype Pollution via p Variable in copy Function
Title source: llmDescription
A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package before 0.8.3 for Node.js via the p variable. NOTE: the vendor states "we are in the process of marking this report as invalid"; however, some third parties takes the position that "A prototype injection/Prototype pollution is not just when global objects are polluted with recursive merge or deep cloning but also when a target object is polluted."
References (10)
Core 10
Core References
Technical Description, Third Party Advisory
http://users.encs.concordia.ca/~mmannan/publications/JS-vulnerability-aisaccs2022.pdf
Technical Description, Third Party Advisory
https://dl.acm.org/doi/abs/10.1145/3488932.3497769
Third Party Advisory
https://dl.acm.org/doi/pdf/10.1145/3488932.3497769
Patch, Third Party Advisory
https://github.com/xmldom/xmldom/blob/bc36efddf9948aba15618f85dc1addfc2ac9d7b2/lib/dom.js#L1
Patch, Third Party Advisory
https://github.com/xmldom/xmldom/blob/bc36efddf9948aba15618f85dc1addfc2ac9d7b2/lib/dom.js#L3
Issue Tracking, Patch, Third Party Advisory
https://github.com/xmldom/xmldom/issues/436
Issue Tracking, Third Party Advisory
https://github.com/xmldom/xmldom/issues/436#issuecomment-1319412826
Issue Tracking, Third Party Advisory
https://github.com/xmldom/xmldom/issues/436#issuecomment-1327776560
Third Party Advisory
https://github.com/xmldom/xmldom/security/advisories/GHSA-9pgh-qqpf-7wqj
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2022/10/msg00023.html
Scores
CVSS v3
9.8
EPSS
0.0154
EPSS Percentile
71.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-1321
Status
published
Products (5)
debian/debian_linux
10.0
npm/xmldom
0npm
xmldom/xmldom
0.8.0 - 0.8.3npm
xmldom_project/xmldom
0.9.0 beta1
xmldom_project/xmldom
< 0.6.0
Published
Oct 11, 2022
Tracked Since
Feb 18, 2026